Key steps we have taken to ensure mye-coach complies with GDPR

Step 1 - Awareness

As part of our ISO/IEC 27001:2013 Certification, we must prove our team are fully trained and aware of the data protection rules. So, rest assured that our team are fully aware of GDPR and the broad principles involved, and this continues to remain “top of our minds” in the provision of our products and services.

Step 2 – Accountability

The bottom line here is that mye-coach users need to know:

  • what personal data we hold;
  • where it came from; and
  • who we have shared it with

We have updated our Privacy Policy to provide clear answers to these questions.

In summary, however, we have outlined below the key aspects:

How we collect data

Apart from a User’s name and email address (which an employer may add to register a User with their consent) the rest of the data held on the system will be data inserted by the User themselves, i.e. they are in control of their own data.

To ensure Users can clearly see what, when and who added the data we have provided clearer ways for people to see the origins of the data added, i.e. date/time stamp confirming when the record was created and by whom.

Protecting their own Data

There are built-in functions to allow Users to protect their own data, included, but not limited to:

  • The ability to hide themself on the system from all Users
  • The ability to hide their contact details on the system
  • The ability for admins to delete the User, and wipe all forms of personal data

Step 3 - Communicating Privacy Information

All Users have to agree to the Terms of Use of the system before accessing for the first time, which includes our Privacy Policy. This policy outlines how we collect the data, gives relevant points of contact for questions and queries, how we use the information and our lawful reason for processing the data, our data retention periods, and the individuals right to make a complaint to the ICO if they think their data is being handled incorrectly.

Whilst mye-coach is in control of data on the system, it is never removed from the system, sold or used with any third parties and we only have access to relevant data for ongoing User support.

Step 4 - Individual Rights

According to the regulations, Users should have certain rights when their data is involved, and at mye-coach, we could not agree more. This includes the right:

To be informed (Article 13) – we inform users who we are, why we need their personal data, how it will be used by mye-coach, how the User can modify it, how the User can access it, how the User can retract consent to hold and process their data and how the User can raise a complaint, should they wish to do so.

To access (Article 15) – we provide users with access to their personal data and explain in clear, non-technical terms how we process their data.

To rectification (Article 16) – we give users the ability to amend/change inaccurate or incomplete information that the system holds about them.

To erase (Article 17) in relation to the system data the “right to be erased” has always been available as mye-coach allows users to delete data, but we have also introduced functionality that allows data to be anonymised rather than deleted in ways that align with GDPR.

To restrict processing (Article 23) – we will in certain circumstances prevent any further processing/use of the users data going forward or until they re-grant us the right to process their data.

To data portability (Article 20) – we provide functionality for users to gain on request their personal data in a structured and commonly used format i.e. CSV file. If a user decides to download and export this data from our system, they are warned that once they download this data they become both the controller and processor of the data and must align to GDPR principles.

To object (Article 21) – Our Privacy Policy outlines the right to object to their data being used/processed. Please note that mye-coach does NOT use users' data for any other purpose other than to enable us to process the data to enable the operation of our products and services.

Not to be subject to automated decision-making including profiling (Article 22) – Our Privacy Policy makes it clear to users that the data they provide will be used to help other users find them on mye-coach with the intent of connecting them with a suitable coaching and/or mentoring provision.

Step 5 – Access Requests

Users can view, edit and manage their private data in Privacy Settings. They can also make a data access request from here which will go straight to our Data Protection Officer.

There is also an internal process is in place to:

  • ensure our staff recognise a request and act upon a data request immediately;
  • record and log the access request and
  • securely provide the information to the user free of charge within 30 day

Step 6 - Lawful basis for processing personal data

Our Privacy Policy clearly outlines the lawful basis for the processing activity of the data we use.

Step 7 - Consent

Our log in process ensures that Users provide consent for us to process their data. This includes agreeing to our Privacy and Cookie Policy as part of our online Terms of Use.

Step 8 - Children

Mye-coach does not allow users under the age of 18 to access the system.

Step 9 – Data Breaches

We have the right procedures in place to detect, report and investigate a personal data breach.

In our capacity as a data processor, we have measures in place to detect system-based data breaches and will notify Users in accordance with our contractual obligations if a breach occurs.

From the controller’s perspective breaches are potentially more likely to occur because of human intervention. To mitigate this and aid detection there are some simple measures that can but put in place such as ensuring that all Users have unique logins.

Both measures should ensure that any malicious actions will leave an audit trail that can be used to help with detection, reporting and investigation.

Step 10 and 11 - Data Protection - Impact Assessments and Officers

In our humble opinion, the job title here is less important than the actions that we undertake. All our staff are Data Protection Officers but in line with GDPR we have a nominated Data Protection Officer who:

  • has the requisite knowledge (now and going forwards) about GDPR
  • will champion GDPR within our organisation
  • is be responsible for complying with GDPR
  • continues to ensure that data protection is “designed in” to our business planning/processes changes
  • can evolve, mature and improve how we comply with GDPR and keep our client’s data safe

Regular audits and impact assessments are undertaken to ensure the suitability, relevance and application of our policies and procedures.

Step 12 - International

mye-coach operates in more than one EU member state. Our lead authority is the supervisory authority in the state where our main establishment is, which is the UK.

Beyond and in addition to GDPR…

In addition to aligning to and complying with GDPR we continue to adhere to ISO/IEC 27001:2013 Standards and have multiple layers of security to ensure your data remains secure, private and available. Find out more here